Lenovo is finding itself embroiled in yet another security scandal, and this time it revolves around the BIOS used in many of its PC systems. According to security researcher Dmytro Oleksiuk (aka Cr4sh), the vulnerability lies in the SystemSmmRuntimeRt UEFI driver component of Lenovo’s firmware. Oleksiuk claims that the exploit is present in every ThinkPad machine dating back as far as the X220 and as recently as the T450s.
The vulnerability can allow a malicious party to run System Management Mode code on a machine, granting the ability to not only disable flash write protection, but also Secure Boot. It’s also possible to bypass the Virtual Secure Mode (VSM) that is used by Windows 10 Enterprise.
So how exactly did this exploit pass under Lenovo’s nose without it sniffing out something funky? Well, Lenovo claims that one of its Independent BIOS Vendors (IBVs) developed the BIOS installed on its ThinkPad machines, and that the IBV simply copy/pasted reference code straight from Intel (which is common practice). However, the vulnerability was not detected until Oleksiuk started snooping around.
Lenovo is understandably a bit peeved about the disclosure of this gaping hole in its security, writing, “Shortly after the researcher stated over social media that he would disclose a BIOS-level vulnerability in Lenovo products, Lenovo PSIRT made several unsuccessful attempts to collaborate with the researcher in advance of his publication of this information.”
Lenovo also tries to duck responsibility, instead shifting partial blame to both the IBV and Intel, which provided the original code that was copied:
The package of code with the SMM vulnerability was developed on top of a common code base provided to the IBV by Intel. Importantly, because Lenovo did not develop the vulnerable SMM code and is still in the process of determining the identity of the original author, it does not know its originally intended purpose. But, as part of the ongoing investigation, Lenovo is engaging all of its IBVs as well as Intel to identify or rule out any additional instances of the vulnerability's presence in the BIOS provided to Lenovo by other IBVs, as well as the original purpose of the vulnerable code.
Since this code originated from Intel and was implemented by likely more than one IBV, it’s highly likely that Lenovo isn’t the only OEM that’s susceptible to this particular attack vector. Lenovo is simply an easy target since it’s been caught with its hands in the cookie jar before, but we could possibly see more wide-scale fallout from this disclosure in the coming weeks and months. As you can see in this tweet below, at least one HP machine (2010 vintage) is affected.